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[  FROM  THE  EDITOR] 


A  Tangled  Web 

A  few  decades  ago,  some  genius  had  this 
outrageous  idea:  “Let’s  put  everything 
online.”  Everything.  Measureless  reams 
of  information  all  piled  up  on  the  World 
Wide  Web.  The  audacity  of  this  concept  should 
not  go  unappreciated. 

Cool  idea.  But  how  will  we  find  anything  in 
this  bottomless  haystack?  That’s  what  search 
engines  are  designed  to  help  with.  They  are 
built  on  spiders  that  crawl  and  index  the  Web 
continuously,  and  they  run  on  algorithms  that 
rank  everything  according  to  its  pertinence 
and  influence  on  any  given  topic. 

Right  now,  social  networking  sites  are  a 
critical  factor  in  deciding  what’s  influential 
in  search.  If  a  page  is  frequently  shared  and 
liked  on  Facebook,  that  page  is  likely  to  rise  in 
Google’s  search  results. 

Search  engine  optimization  pros,  who- 
like  traditional  hackers-span  a  spectrum 
from  white  hat  to  black,  noticed  this.  The 
darker  sorts  created  a  set  of  tools  to  help  them 
game  the  system:  XRumer,  SEnuke,  Hrefer, 
ScrapeBox,  Ignite  SEO.  These  tools  automate 
two  key  processes:  spamming  blogs  and 
forums  with  comments  and  links,  and 
creating  fake  social  media  profiles  that  let 
them  share,  like  or  +1  their  own  sites  and 
pages  in  massive  numbers. 

And  of  course  the  traditional  black-hat 
hackers  have  noticed  this  too. 

If  they  can  build  a  Web  page  that  includes 
links  to  a  malicious  site  or  that  delivers  a 
drive-by  download  of  a  keylogger,  and  then 
get  that  page  to  rank  high  in  Google  results 
for  some  apparently  innocuous  search  term, 
that’s  a  great  tool  for  cybercrime.  So  they 


employ  XRumer  and  so  forth  to  build  fake 
profiles  on  Facebook  and  elsewhere. 

And  that’s  just  one  of  about  a  million  head¬ 
aches,  or  opportunities,  that  Facebook  CSO 
Joe  Sullivan  has  to  confront  on  a  daily  basis. 

Facebook  has  something  like  800  million 
members-l’m  sure  it  will  be  higher  by  the 
time  this  issue  lands.  Both  the  exploitations 
of  and  the  potential  solutions  for  modern  Web 
security  problems  involve  not  just  Facebook, 
but  also  Google  and  Microsoft  and  indeed 
the  entire  Web  ecosystem.  How  can  Sullivan 
help  combat  a  problem  of  such  magnitude? 
Machine  learning,  cooperation  with  search 
engines,  civil  lawsuits,  user  education-pretty 
much  every  tool  in  the  security  arsenal,  and 
then  some.  Enjoy  his  Q&A  with  freelancer 
Lauren  Gibbons  Paul,  Page  22. 


It’s  a  job  I  don’t  envy,  though  I’m  certainly 
glad  somebody’s  doing  it. 

-Derek Slater,  dslater@cxo.com 
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As  businesses  continue  their  journey  to  the  cloud,  analysts  and  security  experts  agree 
that  risk  management  practices  must  change.  Trend  Micro  leads  the  way  in  protecting 
businesses  against  today's  sophisticated  cyber  attacks  by  providing  real-time,  actionable 
threat  intelligence  and  network-wide  visibility  and  control.  With  our  solutions  you  gain  the 
certainty  that  your  data  is  always  secure  across  all  environments-physical,  virtual  and  cloud. 
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[  FROM  THE  PUBLISHER  ] 


You’re  Aware! 


I  had  almost  lost  hope.  Not  entirely,  but 
almost. 

For  the  last  four  years,  I’ve  been  watch¬ 
ing  the  decline  of  awareness  training  as 
a  security  priority.  Year  after  year,  it  spun 
downward.  But  as  I  sat  with  a  group  of  security 
executives  the  other  night,  I  heard  an  encour¬ 
aging  thing:  They  were  all  focusing  on  building 
that  awareness  training  back  into  their 
programs  or  making  their  existing  programs 
more  robust.  Could  this  be  part  of  a  broader 
resurgence  in  the  use  of  information  security 
awareness  training?  I  can  only  hope. 

Admit  it.  We’ve  all  know  for  years  that 
when  we  don’t  train  our  employees  and 
trusted  users  about  what  is  acceptable  and 
what  is  not,  they  will  do  things  that  expose  the 
business  to  undue  risk.  While  many  businesses 
have  struggled  with  how  to  manage  tight 
security  budgets  in  the  aftermath  of  the  2008 
recession,  security  awareness  training  has 
fallen  on  hard  times. 

Well,  it’s  time  to  pick  up  the  mantle  of 
awareness  training  again  and  charge  forward. 
Because  when  we  don’t,  there  can  be  dire 
consequences.  Security  awareness  shouldn’t 
just  be  targeting  your  rank-and-file  employees, 
either.  A  basic  risk  evaluation  in  any  organiza¬ 
tion  will  show  that  your  senior  executives  likely 
have  access  to  a  significant  percentage  of  the 
proprietary  information  that’s  stored  and 
transmitted  on  your  networks. 

The  Wall  Street  Journal  recently  reported 
on  a  major  breach  of  security  at  Nortel 
Networks  that  dated  back  to  2000.  Apparently, 
the  initial  breach  was  facilitated  by  the  theft  of 
passwords  from  a  handful  of  Nortel  executives. 
The  criminals  (apparently  from  China)  then 
used  that  access  to  steal  intellectual  property 
over  the  next  11  years.  E-mails,  technical 


papers,  research  and  development  work-all 
stolen.  In  case  you  weren’t  aware,  Nortel  Net¬ 
works  no  longer  exists.  One  can  only  wonder 
what  effect  this  ongoing  espionage  had  on 
the  financial  demise  of  what  was  once  a  major 
player  in  the  networking  market.  You  also 
have  to  wonder  what  led  to  those  passwords 
being  stolen. 

Security  awareness  isn’t  very  expensive 
either.  In  terms  of  bang  for  your  buck,  aware¬ 
ness  training  ranks  right  at  the  top  of  the  list. 

Many  people  would  like  to  just  throw  up 
their  hands-and  often  they  do-and  claim  that 
no  matter  how  much  training  you  do,  people 
will  still  do  stupid  things.  That  may  be  the  case, 
but  if  you  can  reduce  those  stupid  things  by 
just  1  percent,  imagine  the  tremendous  effect 
that  could  have. 


Consider  this  my  challenge  to  you:  Get  your 
security  awareness  program  together  and  I 
can  almost  guarantee  you  that  the  results  will 
be  positive. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 
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BLOG  POST 

Virtualization 
Security:  Better 
Late  Than  Never 

I  am  excited  to  announce  my  latest 
research,  “The  CISO’s  Guide  to  Vir¬ 
tualization  Security.”  This  is  the  first 
report  in  a  new  series  focusing  on 
securing  virtual  environments.  The 
reduced  costs  and  flexibility  of  virtualiza¬ 
tion  have  led  to  widespread  adoption  of  the 
technology.  Despite  this  adoption,  security 
and  risk  professionals  haven’t  given  their 
virtual  environments  the  attention  that  is 
required.  Our  research  interviews  revealed 
several  themes: 

■  Business  as  usual  is  the  status  quo.  IT 
departments  rely  on  traditional  security 
solutions  (end  point  and  network  security) 
to  secure  their  virtual  environments. 
Depending  on  the  network  architecture, 
virtualization  can  create  blind  spots  in 
your  network,  leaving  you  blind  to  intra- 
virtual- machine  communication. 

■  Many  security  pros  aren’t  aware  of 
the  virtualization-aware  solutions  avail¬ 


able  on  the  market.  One  CISO  we  spoke 
with  wasn’t  aware  that  his  organiza¬ 
tion’s  current  antivirus  vendor  offered 
a  virtualization- aware  solution.  This 
isn’t  necessarily  surprising;  many  of  the 
virtualization- aware  security  solutions 
are  relatively  new  to  the  market.  Such 
solutions  afford  us  the  ability  to  have 
greater  visibility  into  workloads  than  we 
might  have  in  our  traditional  physical 
environment. 

■  Many  security  pros  have  a  general 
discomfort  with  virtualization.  Security 
pros,  especially  CISOs  and  other  security 
leaders  who  have  risen  up  the  technical 
ranks,  aren’t  as  confident  in  their  virtu¬ 
alization  knowledge  as  they  would  like  to 
be.  This  is  particularly  the  case  when  we 
compare  virtualization  with  more  mature 
security  areas,  such  as  network  security. 

■  As  organizations  virtualize  more  and 
more  servers,  the  low-hanging  fruit  has 
been  virtualized  and  enterprises  are  now 
moving  on  to  mission- critical  workloads. 
This  stage  of  virtualization  brings  up 
security  and  compliance  concerns  that  can 
slow  adoption. 

As  organizations  seek  to  increase  vir¬ 
tual  server  use  and  navigate  a  complex 
compliance  landscape,  it  is  critical  that 
security  and  risk  professionals  take  a 
fresh  look  at  the  security  of  your  virtual 
environments. 

If  you  haven’t  done  this,  now  is  the  time. 
Better  late  than  never,  after  all. 

You  should  strive  for  virtual  security 
that  is  at  least  on  par  with  your  traditional 
security  and  look  for  opportunities  to 
implement  better  security  and  visibility 
within  your  virtual  environment. 

In  this  report,  we  discuss  the  challenges 
and  risks  associated  with  virtual  environ- 
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ments,  and  make  recommendations  on  how 
to  get  into  the  virtualization  security  game. 

In  the  future,  Forrester  will  be  writing 
a  detailed  report  on  Zero  Trust  in  virtual 
environments,  including  guidance  for  vir¬ 
tual  desktop  deployments. 

—Rich  Holland 
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HACKTIVISM 

ANONYMOUS  ON  THE  WARPATH 

Hackers  dialed  in  to  an  international  law-enforcement  conference  call  discussing  the  group 


The  politically  motivated  hacking  group  Anonymous  released  a 
17-minute  recording  of  a  conference  call  between  U.S.  and  British 
law-enforcement  agents  who  were  coordinating  an  ongoing 
investigation  into  the  group. 

An  FBI  spokeswoman  says  the  recording  was  legitimate,  but  adds 
that  no  FBI  systems  were  breached  by  the  hackers.  The  agency  is  con¬ 
ducting  an  ongoing  investigation  into  Anonymous,  she  says. 

A  spokesman  for  New  Scotland  Yard  says  he  is  also  aware  of  the 
recording  and  that  “the  matter  is  being  investigated  by  the  FBI.” 

“At  this  stage,  no  operational  risks  to  the  MPS  [Metro¬ 
politan  Police  Service]  have  been  identified;  however,  we 
continue  to  carry  out  a  full  assessment,”  the  spokesman 
said  in  a  statement.  “We  are  not  prepared  to  discuss 
further.” 

It  appears  that  the  hackers  obtained  an  email  sent  on 
Jan.  13  to  law  enforcement  agents  in  the  United  States,  the 
U.K.,  Ireland,  the  Netherlands,  France,  Germany  and  Sweden. 

The  email,  titled  “Anon-Lulz  International  Coordination  Call,”  contained 
the  dial-in  number  and  access  code  needed  for  a  participant  to  join  the 


THreat 


conference,  which  took  place  on  Jan.  17. 

During  the  conference  call,  the  agents  discussed  several  of  the 
alleged  major  players  in  Anonymous,  including  Ryan  Cleary  and  Jake 
Davis,  both  of  whom  were  arrested  last  year  in  the  U.K.  They  also  dis¬ 
cussed  other  suspects  and  mentioned  their  online  nicknames. 

Although  the  agents  seemed  to  mention  other  suspects  by  name, 
the  references  on  the  recording  have  been  blotted  out  by  a  loud  beep. 

Cleary  was  arrested  last  June  for  supposedly  taking  part  in  distrib¬ 
uted  denial-of-service  attacks  against  the  Serious  Organized  Crime 
Agency  (SOCA).  He  has  been  charged  with  five  computer- 
related  offenses  and  stands  accused  of  distributing  tools 
to  build  a  botnet  used  to  attack  SOCA  as  well  as  websites 
of  the  International  Federation  of  the  Phonographic 
Industry  and  the  British  Phonographic  Industry. 

Davis  was  arrested  last  July  and  is  believed  by  police  to 
be  the  person  behind  the  online  identity  Topiary,  a  spokes¬ 
man  who  did  interviews  with  media  and  ran  a  prolific  Twitter 
account  documenting  frequent  denial-of-service  attacks  and  data  theft 
escapades  of  Anonymous  and  LulzSec.  -Jeremy  Kirk 


Photo  by  Stefano  Rellandini,  Reuters 
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SALTED  HASH 


NO  DISRESPECT  to  M86  Security  intended. 
I’ve  used  a  lot  of  their  research  in  the  past  and 
they  are  always  a  pleasure  to  work  with.  But 
the  latest  report  they  sent  me  represents  a 
big  problem  I’m  having  with  these  documents 
lately:  They  tell  us  nothing  new.  Therefore,  they 
are  not  helpful. 

These  reports  remind  me  of  rock  bands 
who  put  out  three  greatest  hits  albums  where 
the  cover  art  is  different  but  the  songs  are  all 
the  same. 

M86’s  latest  takeaways  read  just  like  the  last 
to  reports  I’ve  seen  from  10  different  vendors. 
So  why  pick  on  one  vendor’s  report?  Simple: 

It’s  the  one  sent  to  me  the  most  recently. 

Some  of  M86’s  key  findings  for  the  second 
half  of  2011  are: 


■  National  infrastructure  is  being  targeted: 
Targeted  attacks  are  becoming  more  sophis¬ 
ticated,  and  cybercriminals  are  attacking  a 
broader  range  of  commercial,  critical  infra¬ 
structure  and  military  groups,  including 
RSA,  Lockheed  Martin  and  the  Asia-Pacific 
Economic  Cooperation. 


■  More  and  more  successful  targeted  attacks 
rely  on  stolen  digital  certificates:  Digital 
certificates  confirm  for  users  that  something 
they’ve  downloaded  is  from  a  trusted  ven¬ 
dor.  Cybercriminals  steal  certificates  so  they 
can  mark  malware  as  a  trusted  application 
and  trick  users  into  installing  it. 


■  The  Blackhole  exploit  kit  dominates 
the  market:  The  creators  of  the  kit  have 
been  updating  it  more  frequently  and 
have  adopted  new  strategies  for  evading 
detection. 


■  There  was  more  malicious  spam  in  2011:  Overall  spam  vol¬ 
ume  decreased,  but  the  percentage  of  it  that  was  malicious 
rose  from  less  than  1  percent  to  5  percent  during  the  second 
half  of  the  year.  There  was  a  spike  in  malicious  attachments 
in  August  and  September. 

■  Social  media  is  a  popular  vector  for  scams:  It’s  com¬ 
mon  practice  for  spammers  to  trick  users  into  clicking 
on  infected  links  by  sending  them  bogus  social  media 
notifications. 

I  think  M86  outlines  the  threat  landscape  quite  accurately. 
But  since  there’s  nothing  new  here,  I  find  myself  asking:  “So 
what?” 

With  that  kind  of  attitude,  the  least  I  can  do 
is  offer  some  specific  ideas  on  how  to  make  this  a 
more  useful  exercise. 

I  have  a  couple  thoughts: 

1.  Instead  of  reports  that  offer  a  laundry  list 


of  threats,  maybe  we’re  better  off  with  more  documents  that 
zero  in  on  one  specific  problem  area.  For  example,  one  report 
all  about  malicious  spam  or  social  media  risks,  with  more 
emphasis  on  the  things  we  can  do  to  improve  the  situation.  True, 
reports  like  that  already  exist.  But  more  of  those  are  better  than 
more  of  these  hodgepodge  reports. 

2.  Instead  of  reports  that  tell  us  what  the  bad  guys  are  doing, 
why  not— since  we  already  know  what  they’re  doing— focus  on 
the  newest  techniques  for  fighting  back?  Just  dive  right  in  on  the 
latest  tools  and  procedures  that  have  been  shown  to  be  success¬ 
ful  by  security  practitioners  in  the  trenches?  There  are  plenty  of 
reports  about  tools  and  defenses  that  are  based  on  what  certain 
vendors  are  selling.  It’s  time  to  hear  from  the 
practitioners  who  aren’t  selling  anything,  but 
are  laboring  away  like  Scotty  in  Star  Trek,  con¬ 
cocting  ways  to  save  his  ship  on  the  fly. 

Some  food  for  thought,  anyway. 

—Bill  Brenner 


ICSOonline’s  new  Salted 
Hash  blog  and  newsletter 
covers  the  news  as  It 
happens:  blogs.csoonline 
xom/blog/cso 
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From  patented  key  systems  to  full-featured,  online  integrated  locksets,  ASSA  ABLOY  offers  access 
control  solutions  tailored  to  the  unique  locking  needs  of  each  opening.  With  the  industry’s  largest 
range  of  products,  from  the  most  trusted  brands,  your  security  dollars  reach  farther  into  your  facility. 

Contact  your  ASSA  ABLOY  Integrated  Solutions  Specialist  for  a  consultation  on  your  next  project. 

Visit  us  at  ISC  West  Booth  #  1 1 065  or  www.intelligentopenings.com/SecurityContinuum. 
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MOBILE  MALWARE 

Symantec  Warns  of  a  Mutating  Android  Trojan 


It  employs  server-side 
polymorphism  to  generate 
unique  variants 

Researchers  from  security  vendor  Syman¬ 
tec  have  identified  a  new  premium-rate 
SMS  Android  Trojan  horse  that  modifies 
its  code  every  time  it  is  downloaded  in 
order  to  bypass  antivirus  detection. 

This  technique  is  known  as  server-side 
polymorphism  and  has  already  existed  in  the 
world  of  desktop  malware  for  many  years,  but 
mobile  malware  creators  have  only  now  begun 
to  adopt  it. 

A  special  mechanism  that  runs  on  the 
distribution  server  modifies  certain  parts  of 
the  Trojan  in  order  to  ensure  that  every  mali¬ 
cious  app  that  gets  downloaded  is  unique.  This 
is  different  from  local  polymorphism,  where 
the  malware  modifies  its  own  code  every  time 
it  gets  executed. 

Symantec  has  identified  multiple  vari¬ 
ants  of  this  Trojan  horse,  which  it  detects  as 
Android.Opfake,  and  all  of  them  are  distrib¬ 
uted  from  Russian  websites.  However,  the 
malware  contains  instructions  to  automati¬ 
cally  send  SMS  messages  to  premium-rate 
numbers  from  several  European  and  former 


Soviet  Union  countries. 

In  some  cases,  especially  when  security 
products  rely  heavily  on  static  signatures, 
detecting  malware  threats  that  make  use  of 
server-side  polymorphism  can  be  difficult. 

“As  with  malware  that  affects  traditional 
computing  devices,  the  level  of  sophistica¬ 
tion  of  the  polymorphism  used  can  affect  how 
easy  or  difficult  the  threat  is  to  detect,"  says 
Vikram  Thakur,  the  principal  security  response 
manager  at  Symantec.  “More  complicated 
polymorphism  requires  more  intelligent 
countermeasures." 

In  the  case  of  Android.Opfake,  the  level  of 
polymorphism  is  not  very  high,  as  only  some 
of  the  Trojan’s  data  files  are  being  modified  by 
the  distribution  server. 

“If  antivirus  vendors  place  their  detection 
on  the  executable  and  nonchanging  sections, 
all  files  would  be  successfully  detected,”  says 
Tim  Armstrong,  malware  researcher  at  Kasper¬ 
sky  Lab.  However,  if  the  Trojan’s  executable 
code  were  also  polymorphic,  the  challenge  of 
detecting  it  would  be  more  difficult,  he  says. 

According  to  Armstrong,  server-side 
polymorphism  is  not  very  widespread  on  the 
Android  platform  at  the  moment  because  most 
users  get  their  apps  through  official  channels, 


and  the  current  structure  of  the  Android  Mar¬ 
ket  does  not  allow  for  a  malware  distribution 
scheme  like  this  one. 

However,  he  agrees  that  polymorphic 
Android  malware  could  force  antivirus  vendors 
to  step  up  their  game  in  the  future.  “I  think 
many  of  the  features  that  are  currently 
available  on  traditional  platforms  will  start 
to  arrive  on  these  mobile  platforms  out  of 
necessity  as  the  criminals  change  their  attack 
methods,"  says  Armstrong. 

There  have  been  many  new  developments 
on  the  mobile  threat  landscape  recently,  and 
giving  more  attention  to  smartphones  is  a 
logical  move  for  malware  writers,  because 
they  usually  go  where  the  money  is,  says 
Jamz  Yaneza,  research  manager  at  antivirus 
company  Trend  Micro. 

Users  should  educate  themselves  about 
this  trend  and  about  the  capabilities  of  their 
mobile  devices,  which  are  now  similar  to  those 
of  mobile  PCs,  Yaneza  says.  “They  should  treat 
app  downloads  with  the  same  caution  as  they 
do  desktop  [downloads],"  he  adds,  and  they 
should  install  or  use  whatever  security  add-ons 
they  can,  because  that  creates  another  protec¬ 
tive  layer. 

-Lucian  Constantin 
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CLOUD  SECURITY 

MANAGING  THE 
UNMANAGEABLE 

Vendors  offer  new  wares  for  taming  cloud  firewall  sprawl 

Matthew  Scalf  is  used  to  adapting  to  change.  As  the  owner  of  the  Web  develop¬ 
ment  and  hosting  company  Izoox,  he  has  presided  over  plenty  of  change 
since  his  company’s  founding  in  2002.  Izoox  started  out  as  a  Web  develop¬ 
ment  and  design  firm,  then  expanded  into  Web  hosting,  and  now  is  moving 
into  cloud  services.  “We  like  to  shield  our  customers  from  the  complexities  of  the 
Internet,”  Scalf  says. 

Izoox  offers  cloud  servers,  cloud  backup,  load  balancing  and  other  services.  And 
soon  it  will  move  into  even  more  dynamic  cloud  services  that  require  automatic 
provisioning  of  cloud  servers  and  bursting  of  client  services.  “This  creates  new  sets 
of  challenges  around  security  and  firewall  management,”  says  Scalf. 

Consider  how  difficult  it  is  to  control  firewall  rule  sets  in  on-site  networks.  Now 
take  those  demands  and  add  the  dimension  of  dynamically  expanding,  shrinking  and 
changing  environments  where  servers  and  databases  are  spun  up  and  down  at  will. 
“There’s  no  way  we  could  do  it,  or  that  our  clients  could  keep  up  properly,  without 
some  way  of  automating  security  policies,”  says  Scalf. 

Scalf  is  banking  on  CloudPassage’s  new  service  for  cloud-based  virtual  servers, 
Halo  NetSec,  for  help  with  that  automation.  Halo  NetSec  offers  a  firewall,  intrusion- 
detection  and  two-factor  authentication  for  virtual  machine  server  access,  and  Scalf 
says  the  service  centralizes  and  automates  host-based  firewall  workloads,  whether 
they  are  in  a  public  or  private  cloud.  If  a  server’s  IP  address  is  changed  to,  say,  a 
domain  with  stricter  security,  the  firewall’s  policies  can  be  automatically  updated  to 

reflect  that. 

According  to 
CloudPassage,  Halo 
NetSec  runs  a  small, 
3MB  daemon  within 
a  virtual  machine 
(VM)  that  observes 
the  state  of  the  VMs 
it’s  protecting  and 
obtains  polices  from 
the  CloudPassage 
computing  grid. 

“This  picks  up 
security  abilities 

where  hosting  companies  and  cloud  infrastructure  providers  stop,”  says  Andrew  Hay, 
a  security  analyst  at  451  Research. 

Dome9,  another  vendor  of  cloud  firewall  management  tools,  recently  announced 
its  own  way  to  simplify  firewall  management:  security  groups.  Dome9  security 
groups  allow  organizations  to  enforce  policies  across  their  cloud-based  servers. 
According  to  Dome9,  rather  than  setting  and  managing  polices  for  individual  serv¬ 
ers,  Security  Groups  enable  users  to  automatically  manage  servers  under  a  single 
security  policy  or  set  of  policies. 

In  the  cloud,  “the  IP  addresses  of  the  systems  may  change,  making  remote  man¬ 
agement  of  endpoint  firewalls  difficult,”  says  Hay.  “The  ability  to  maintain  command 
and  control  with  products  like  Dome9  and  CloudPassage,  even  when  IP  addresses 
change,  should  be  of  great  interest  to  IT  administrators.” 

-George  V.  Hulme 
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Security 
Wisdom  Watch 

This  month,  we  look  at 
decisions  that  defy  logic 

Thumbs  down:  Anonymous.  It’s 
admirable  that  these  guys  want  to 
stand  up  for  freedom  and  human 
rights.  Now  if  someone  can  explain 
how  hacking  a  Boston  police  website 
and  leaking  pcAnywhere  source  code 
helps  advance  those  goals,  we’re  all  ears. 

Thumbs  down:  Symantec.  The 

anti-malware  giant  made  some 
really  bone-headed  moves  this 
past  month,  most  notably  its  recent 
PR  misfire  over  Android  malware.  One 
day,  Symantec  emailed  us  this  alarming 
headline:  “Newly  Discovered  Android 
Malware  Has  Infected  Millions  of  Users.” 
Days  later,  it  was  forced  to  retract  that 
statement,  admitting  the  threat  was 
nowhere  near  as  dramatic  as  it  had  been 
portrayed.  The  problem,  of  course,  is 
that  people  are  now  less  likely  to  listen  to 
Symantec  if  it  alerts  us  to  a  real  threat. 

Thumbs  down:  Attila  Nemeth.  The 

26-year-old  Hungarian  citizen  was 
sentenced  to  30  months  in  prison 
and  three  years  of  supervised 
release  after  sending  malicious  code  to 
Marriott  International  and  threatening 
to  reveal  confidential  information  taken 
from  the  company’s  computers  if  Mar¬ 
riott  didn’t  offer  him  a  job.  Our  colleague 
Michael  Cooney  summed  up  this  one 
pretty  well  in  this  headline:  “How  NOT  to 
Get  a  Job  101.” 

Thumbs  both  ways:  RSA  Confer¬ 
ence  2012.  Conference  organizers 
threatened  to  pull  the  rug 
out  from  under  BSidesSF  by 
denying  the  neighboring  event 
a  waiver  from  its  no-compete 
rules.  RSA  argued  that  BSides 
would  hurt  attendance  on  the  RSA  exhibi¬ 
tion  floor,  even  though  that  hadn’t  hap¬ 
pened  in  the  two  previous  years.  After 
much  protest,  RSA  did  the  right  thing  and 
backed  down.  -B.B. 


DATA  LOSS 

Breaches,  Like  History, 

Repeat  Themselves 

Companies  that  overlook  IT  security  basics  are  setting  themselves  up  to  be 
breached.  Two  recent  studies  show  that  if  organizations  simply  focused  on 
fundamental  IT  security,  they’d  make  great  strides  in  reducing  their  risk  of 
embarrassing,  avoidable  and  often  costly  data  breaches. 

Security  vendor  Imperva  examined  attack  trends  across  40  applications  and 
monitored  millions  of  attacks  that  targeted  Web  applications  for  the  six-month 
period  from  June  through  November  of  last  year.  The  company  found  that  attackers 
like  to  target  five  relatively  common  application  vulnerabilities:  remote  file  inclusion, 
SQL  injection,  local  file  inclusion,  cross-site  scripting  and  directory  traversal  attacks. 

The  majority  of  these  attack  vectors  have  been 
significant  problems  for  years. 

Ratal  Los  (left),  chief  security  evan¬ 
gelist  for  HP  Software  Worldwide,  says  the 
industry’s  inability  to  rid  itself  of  lingering 
and  well-understood  software  vulnerabilities 
isn’t  caused  by  a  lack  of  technology.  “It’s  a 
behavioral  problem.  Development  organiza¬ 
tions  have  more  resources  than  ever  to  create 
a  rational,  security-infused  software  development  life  cycle  which  doesn’t  ‘bolt  on’ 
security  at  the  very  last  stages,"  says  Los.  “Until  security  becomes  a  fundamental 
business  objective,  the  behaviors  that  today  lead  to  things  like  SQL  injection  will 
continue.” 

However,  many  (perhaps  most)  breaches  aren’t  necessarily  due  to  attacks 
against  software  applications-as  trivial  as  those  types  of  hacks  are  for  most 
cybercriminals.  In  an  Experian  survey  of  500  IT  professionals  who  primarily  report 
directly  or  indirectly  to  a  CIO  or  a  CISO,  60  percent  of  the  respondents  reported  that 
customer  data  that  was  lost  or  stolen  had  not  been  encrypted.  Also,  the  types  of 
information  that  are  most  commonly  hacked  include  email  (cited  by  70  percent  of 
the  respondents),  credit  card  or  bank  payment  data  (45  percent)  and  Social  Security 
numbers  (33  percent).  And,  not  surprisingly,  in  cases  where  organizations  were  able 
to  determine  the  cause  of  a  breach,  insiders  were  often  at  fault:  34  percent  said  the 
culprit  was  a  negligent  insider,  19  percent  attributed  the  breach  to  outsourcing  of 
data,  and  16  percent  said  a  malicious  insider  was  the  main  perpetrator. 

Perhaps  most  sobering,  only  about  half  of  those  surveyed  said  that  they  believe 
their  organizations  make  their  best  effort  to  protect  customer  data.  And  when  it 
came  to  mitigating  the  damage  associated  with  a  breach,  protecting  customers 
wasn’t  at  the  top  of  the  incident  response  list-lawyering  up  was:  56  percent  said 
their  organizations  retained  outside  legal  counsel  following  a  breach,  while  just  50 
percent  said  they  carefully  assessed  harm  to  victims. 

The  Experian  study  did  provide  some  good  news:  66  percent  of  the  respondents 
said  that  investigating  the  cause  of  a  breach  will  help  their  organizations  determine 
the  causes  of  potential  future  breaches.  Also,  when  asked  about  actions  taken  fol¬ 
lowing  a  data  breach,  61  percent  said  their  organizations  increased  their  security 
budgets  and  28  percent  said  they  had  hired  additional  IT  security  staffers. 

Eric  Cowperthwaite,  CSO  for  Providence  Health  and  Services,  agreed  that  a 
breach  can  create  an  opportunity  to  move  forward.  “If  leadership  chooses  to  learn 
from  the  experience,  a  breach  can  be  a  turning  point,”  he  says.  “It  can  be  the  time 
that  forces  an  enterprise  to  make  investments  in  the  people,  processes  and  technol¬ 
ogy  they  need.”  —  G.V.H. 
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CYBERATTACK 


Hackers  Hit  Verisign 

Joseph  Menn,  author  of  Fatal  System  Error:  The  Hunt  for  the  New  Crime  Lords  Who 
Are  Bringing  Down  the  Internet  and  keynote  speaker  at  the  last  CSO  Perspectives 
conference,  reports  for  Reuters  about  the  hacking  of  Verisign. 

He  writes  that  Verisign,  the  company  responsible  for  delivering  people 
safely  to  more  than  half  the  world’s  websites  (specifically  those  with  addresses 
ending  in  .com,  .net  and  .gov),  was  hacked  repeatedly  in  2010  by  outsiders  who  stole 
undisclosed  information. 

Verisign  says  its  executives  “do  not  believe  these  attacks  breached  the  servers 
that  support  our  Domain  Name  System  network,”  which  ensures  that  people  land 
at  the  right  numeric  IP  address  when  they  type  in  a  name  such  as  Google.com,  but 
it  did  not  rule  anything  out,  accordingto  Menn.  Verisign's  domain-name  system 
processes  as  many  as  50  billion  queries  daily.  Pilfered  information  from  it  could  let 
hackers  direct  people  to  faked  sites  and  intercept  email  from  federal  employees 
or  corporate  executives,  though  classified  government  data  moves  through  more 
secure  channels. 

“Oh  my  God.  That  could  allow  people  to  imitate  almost  any  company  on  the  Net,” 
says  Stewart  Baker,  former  assistant  secretary  of  the  Department  of  Homeland 
Security  and  before  that  the  top  lawyer  at  the  National  Security  Agency.  Verisign 
reported  the  attacks  in  October  in  a  quarterly  Securities  and  Exchange  Commission 
filing  that  followed  new  guidelines  on  reporting  security  breaches  to  investors.  It 
was  the  most  striking  disclosure  to  emerge  in  a  review  by  Reuters  of  more  than 
2,000  documents  mentioning  breach  risks  since  the  SEC  guidance  was  published. 

The  intrusions  will  likely  become  a  PR  nightmare  for  Verisign,  reminiscent  of  the 
shock  RSA  suffered  last  year  after  discovering  it  had  been  the  victim  of  an  “advanced 
persistent  threat”  (APT). 

When  Menn  writes  about  something  like  this,  security  pros  are  inclined  to  take  it 
seriously.  Fatal  System  Error  is  a  must-read  for  anyone  who  wants  to  understand  the 
culture,  motivations  and  psychology  of  the  people  behind  these  sustained  attacks. 

At  CSO  Perspectives  last  April,  he  described  what  we’re  up  against.  Particularly 
interesting  was  his  view  of  why  there’s  so  much  criminal  activity  in  Russia. 

In  Russia  there  is  no  Silicon  Valley  where  computer  experts  can  make  a  living,  he 
explained.  Jobs  are  scarce,  and  the  Russian  view  of  crime  is  different  from,  say,  that 
of  the  United  States.  “Cybercrime  is  just  another  career  opportunity  to  them,”  Menn 
says.  “Even  the  good  guys  are  on  the  take.” 

During  one  of  my  visits  to  Kaspersky  Lab  office  in  2007,  Eugene  Kaspersky  essen¬ 
tially  told  me  the  same  thing. 

He  explained  that  after  the  breakup  of  the  Soviet  Union,  a  lot  of  computer 
programmers  had  nowhere  to  go.  It  became  a  game  of  earning  a  living  any  way  you 
could.  -B.B. 
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Verbatim... 


Shots  heard  ’round  the  security  world 


“We  will  pay  you 
$50,000  USD  total.” 

-Sam  Thomas,  purported  to  be  a 
Symantec  employee  but  using  a  Gmail 
ID,  in  an  email  to  a  hacker  named 
Yamatough.  Thomas  was  trying  to 
keep  stolen  source  code  for  Symantec’s 
pcAnywhere  from  leaking  out,  but 
Yamatough  rejected  the  offer.  Not 
long  afterward,  Anonymous  publicly 
claimed  it  would  release  the  code. 


“I’m  sure  this  is 
just  the  beginning 
of  massive  abuses 
on  websites  hosted 
by  DreamHost.” 


-Zscaler  senior  security  researcher 
Julien  Sobrier,  regarding  rogue 
PHP  redirect  scripts  uploaded 

“Racirallv  on  hundreds  of  websites 

pdbiLdiiy,  #  hosted  by  DreamHost. 

it’s  criminals  taking 
advantage  of  public  infrastructure 
to  appear  less  suspicious.” 


-Rik  Ferguson,  director  of  security  research  and 
communication  for  Trend  Micro,  regarding  a  piece 
of  malicious  software  that  automatically  uploads 
its  stolen  data  cache  to  the  SendSpace  file¬ 
sharing  service  for  retrieval. 


“The  bad  guys 
are  rotating  through 
scam  pages  trying  to 
stay  ahead  of  Facebook.” 

-Sophos  Senior  Security  Adviser 
Chester  Wisniewski,  of  a  malware¬ 
laden  fake  CNN  news  page 
reportingthe  United  States 
had  attacked  Iran  and 
Saudi  Arabia 


“Defendants 
failed  to  adequately 
secure  their  Internet 
access,  whether  accessible 
only  through  their  computer 
when  physically  connected 
to  an  Internet  router  or 
accessible  to  many  computers 
by  use  of  a  wireless  router.” 

-Liberty  Media  Holdings,  in  a  lawsuit  against 
more  than  50  Massachusetts  people  it  claims 
used  BitTorrent  file-sharing  technology  to 
illegally  download  and  share  a  gay  porn 
movie.  Liberty  Media  is  a  San  Diego 
p  rod  u  ce  r  of  ad  u  It  co  nte  nt. 


RISK 

Zscaler 
Offers 
New  Risk- 
Analysis 
Service 

ThreatLabZ,  the  research 
arm  of  cloud  security 
vendor  Zscaler,  released  a 
free  tool  IT  shops  can  use  to 
assess  their  Web  risks. 

According  to  Zscaler 
ThreatLabZ,  the  average  Web 
user  encounters  three  to  four 
threats  per  day. 

In  efforts  to  help  secure 
all  users,  Zscaler  ThreatLabZ 
released  a  free  security  service 
for  comprehensively  analyzing 
Web  pages  for  malicious  content. 
Called  Zulu,  this  new  service  is 
freely  available  to  all  Web  users 
and  is  the  most  comprehensive 
of  its  kind,  pulling  data  from  web¬ 
site  content  as  well  as  URL,  host 
and  multiple  threat  sources,  to 
provide  the  user  with  a  real-time 
risk  score  they  can  trust,  even  if 
the  Web  page  is  down. 

It  also  provides  historical 
scores,  showing  when  sites 
were  first  compromised  or 
cleaned  up. 

And  unlike  similar  services, 
Zulu  results  are  always  in  real 
time  (never  static),  providing  the 
user  with  the  best  possible  data 
on  any  given  Web  page. 

Zscaler  also  launched  Threat¬ 
LabZ  Portal,  a  single  source  of 
continually  updated  content 
designed  to  showcase  the  latest 
research  initiatives  and  free 
security  tools,  such  as  Zulu,  from 
Zscaler  ThreatLabZ. 

-B.B. 
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SPAM 


Spammers  Abuse  Hundreds 
of  DreamHost  Websites 

ogue  PHP  pages  that  redirect  users  to  work-at-home  scams  have  been  added 
to  hundreds  of  websites  hosted  by  DreamHost  following  a  security  breach 
the  company  suffered  in  January,  say  researchers  from  cloud  security  vendor 
Zscaler. 

DreamHost  decided  to  reset  the  FTP  and  shell  access  passwords  for  all  of  its 
customers  after  discovering  that  hackers  compromised  one  of  its  database  servers 
on  Jan.  20. 

According  to  Zscaler,  DreamHost  said  at  the  time  that  no  malicious  activity  had 
been  immediately  detected  on  its  customers’  accounts,  but  the  situation  might  have 
changed  in  the  meantime. 

Following  the  Dreamhost  hack,  many  websites  hosted  by  the  company  have 
been  hijacked  to  redirect  users  to  a  Russian  scam  page,  says  Zscaler  senior  security 
researcher  Julien  Sobrier  in  a  blog  post  on  Friday.  “I’ve  identified  hundreds  of  web¬ 
sites  hosted  by  DreamHost  that  contained  a  PHP  page  redirecting  to  hxxp://www. 
otvetvam.com.” 

The  landing  website  promoted  a  work-at-home  scam  in  Russian.  These  kinds  of 
scams  have  been  around  for  many  years,  and  they  usually  trick  users  into  buying  a 
so-called  starter  kit  that  is  supposed  to  help  them  earn  money  on  the  Internet.  “I’m 
sure  this  is  just  the  beginning  of  massive  abuses  on  websites  hosted  by  DreamHost,” 
Sobrier  says.  However,  other  Web  security  researchers  are  not  convinced  that  these 

attacks  are  necessarily  connected 
to  the  DreamHost  breach. 

Website  integrity  monitoring 
firm  Sucuri  Security  has  been 
tracking  these  attacks  and  similar 
ones  for  a  while  now,  and  it  can’t 
say  whether  they  started  before 
or  after  the  DreamHost  security 
breach,  or  whether  they  affect 
only  websites  hosted  there,  says 
David  Dede,  a  security  researcher 
with  the  company.  According  to  Dede,  most  of  the  compromised  websites  analyzed 
by  Sucuri  had  outdated  software  and  other  security  issues. 

Independent  security  researcher  Denis  Sinegubko,  who  created  the  Unmask  Par¬ 
asites  Web  scanner,  looked  at  some  of  the  compromised  websites  given  as  examples 
by  Zscaler  and  determined  that  they  all  had  a  backdoor  PHP  script  installed  on  Dec. 
26,  long  before  the  DreamHost  breach.  But  it  might  still  be  an  infrastructure-wide 
compromise,  he  says. 

Sinegubko  was  also  able  to  tell  who  was  behind  this  attack  campaign  because 
he’d  seen  some  of  the  spam  domains  before.  “It’s  the  gang  that  promotes  one  of  the 
largest  scam  campaigns  in  Russian,”  the  researcher  says.  “They  target  themes  such 
as  genealogy,  horoscopes,  medical  devices,  diets,  free  downloads  and  all  other  sorts 
of  snake  oil." 

Regardless  of  whether  these  sites  were  compromised  as  a  result  of  stolen 
credentials,  a  misconfiguration  or  vulnerabilities  in  outdated  software,  webmasters 
should  follow  security  best  practices.  These  include  regularly  reviewing  the  access 
logs  for  suspicious  activity,  checking  their  Web  directory  trees  for  any  newly  created 
files  that  look  out  of  place,  changing  their  administrative  passwords  regularly  and 
keeping  their  software  up  to  date.  Scanning  their  websites  with  free  services  like 
Zulu,  Sucuri  or  Unmask  Parasites  is  also  recommended.  -L.C. 
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IT’S  WHEN.  NOT  IF. 

SIEM  2.0 


By  Bernard  Golden 


Virtuous  Virtualization 


Virtualization  represents  a 
sea  change  in  IT  practices. 
Bound  for  years  by  the  “one 
application,  one  server”  rule, 
IT  infrastructure  was  over 
capacity,  underused  and  not  cost-effective. 

With  the  advent  of  virtualization  and 
the  associated  move  to  hosting  multiple 
virtual  machines  on  a  single  server,  many 
of  these  problems  disappeared. 

Because  multiple  virtual  machines  can 
be  placed  on  a  single  server,  IT  organiza¬ 
tions  can  ensure  that  the  machine’s  pro¬ 
cessing  power  is  portioned  out  to  many 
applications.  Utilization,  often  measured 
in  single  digits,  can  be  increased  to  70  per¬ 
cent  or  more,  ensuring  that  far  less  capital 
is  wasted  on  high-cost,  little-used  servers. 

It’s  also  no  secret  that  the  movement 
toward  virtualization  has  experienced 
what  is  sometimes  referred  to  as  “virtu¬ 
alization  stall.”  This  refers  to  the  fact  that 
many  organizations  get  around  25  percent 
of  their  total  server  population  virtualized, 
and  then  progress  stops. 

When  you  look  into  why  this  happens, 
you  usually  find  that  the  organization  has 
virtualized  all  of  the  easy  servers  (for  exam¬ 
ple,  dev  machines  and  low-risk  internal  IT 
applications  like  DNS)  but  has  failed  to  vir¬ 
tualize  its  production  applications. 

There  are  many  reasons  for  this  stall, 
but  an  important  one  is  security.  Essen¬ 
tially,  security  groups  are  unsure  how  to 
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apply  practices  designed  for  a  physical 
environment  to  a  virtualized  one.  Despite 
this  confusion,  the  direction  is  clear:  Secu¬ 
rity  practices  must  be  updated  to  break  the 
logjam  of  virtualization  stall. 

Here  are  three  of  the  most  common 
issues  confronted  by  security  organiza¬ 
tions  as  they  move  toward  a  virtualized 
future: 


Lack  of  visibility 
Into  Network  Traffic 

Many  security  organizations  monitor  net¬ 
work  traffic  to  identify  and  block  malicious 
traffic  and  penetration  attempts.  Vendors 
have  delivered  specialized  appliances  that 
perform  monitoring  to  ease  the  headaches 
of  installation  and  configuration.  These 
appliances  can  be  installed  on  the  network 

Illustration  by  John  Weber 


just  like  another  server,  and  they  can  be  up 
and  running  in  hours  or  days.  The  appliance 
approach  has  simplified  security  practices 
and  been  an  enormous  boon  to  hard-pressed 
security  groups  and  IT  operations. 

There’s  one  problem  with  this  approach, 
though,  in  a  virtualized  world.  Virtual 
machines  on  the  same  server  communi¬ 
cate  via  the  hypervisor’s  internal  network¬ 
ing,  with  no  packets  crossing  the  physical 
network  where  the  security  appliance  sits 
ready  to  sniff  them.  Of  course,  if  the  virtual 
machines  (VMs)  reside  on  different  servers, 
inter-VM  traffic  will  run  across  the  network 
and  be  available  for  inspection.  For  perfor¬ 
mance  reasons,  however,  virtual  machines 
associated  with  the  same  application  (for 
example,  an  application’s  Web  server  and 
database  server)  are  often  on  the  same 
physical  server. 

Fortunately,  vendors  have  stepped 
forward  to  address  this.  Virtualization 
vendors  have  provided  hooks  into  their 
hypervisors  that  network  vendors  such 
as  Cisco  and  Arista  have  used  to  integrate 
with  virtual  switches  that,  in  turn,  enable 
traffic  inspection.  So  this  problem  is  not 
insurmountable,  though  it  does  require  an 
upgrade  to  the  current  method  of  network 
switching  and  the  use  of  security  products 
integrated  with  the  newer  model.  You  can 
translate  this  as  a  need  for  more  financial 
investment.  But  lack  of  visibility  alone  is  no 
reason  for  organizations  to  put  off  virtual¬ 
izing  production  applications. 

Performance-Sapping 
Security  Overhead 

The  benefits  of  supporting  multiple  virtual 
machines  on  a  single  server  have  become 
obvious  to  the  server  manufacturers  them¬ 
selves,  and  they  have  modified  their  server 
designs  accordingly.  Unlike  yesterday’s 
pizza  box  lU  machine  that  could  support 
perhaps  five  virtual  machines,  today’s  4U 
blade  servers  come  stuffed  with  hundreds 
of  gigabytes  of  memory  and  numerous  net¬ 
work  interface  cards.  As  a  result,  servers 
can  now  commonly  support  25  or  50  virtual 
machines.  Cost-effectiveness  and  utiliza¬ 
tion  are  high,  but  hosting  so  many  VMs  on 
a  single  box  can  cause  other  issues. 

One  common  problem  is  the  result  of 
each  server  managing  its  own  security 
products.  A  prime  example  is  antivirus. 
In  many  IT  organizations,  every  server 


updates  its  antivirus  signature  files  at  the 
same  time  every  day,  resulting  in  25  or  50 
virtual  machines  launching  the  same  activ¬ 
ity  all  at  once.  This  bogs  down  the  server, 
resulting  in  lower  throughput. 

Fortunately,  new  technical  solutions  are 
available.  First,  just  as  the  virtualization 
vendors  opened  up  APIs  to  allow  network 
vendors  to  integrate  into  the  hypervisor, 
they  now  have  also  opened  up  APIs  to 
allow  security  companies  to  deliver  new 
products  that  do  not  need  to  be  installed  on 
every  virtual  machine.  Instead,  the  prod¬ 
ucts  themselves  are  virtual  machines. 

When  the  hypervisor  recognizes  traffic 
that  requires,  say,  calling  an  antivirus  pro¬ 
gram  (for  example,  an  access  call  for  a  docu¬ 
ment  that  must  be  scanned  before  opening), 
it  forwards  the  call  to  the  antivirus  soft¬ 
ware  on  the  virtual  machine,  and  the  VM 
performs  the  scan.  Instead  of  25  machines 
all  running  their  own  antivirus,  one  virtual 
machine  runs  antivirus  on  behalf  of  all  25— 
obviously  a  better  approach. 

The  second  approach  is,  as  you  might 
guess,  cloud-based.  For  something  like 
the  repetitive  antivirus  scanning  of  docu¬ 
ments,  which  requires  the  distribution  of 
hundreds  of  thousands  (perhaps  even  mil¬ 
lions)  of  copies  of  antivirus  signature  files, 
why  not  have  the  millions  of  end  points  call 
one  centrally  located,  cloud-based  solu¬ 
tion?  The  vendor  can  ensure  it  has  suffi¬ 
cient  resources  to  handle  all  traffic,  and  the 
user  avoids  performance  issues  and  doesn’t 
have  to  invest  more  capital  in  security  soft¬ 
ware.  This  approach  offers  significant 
benefits,  and  we’ll  be  hearing  more  about 
cloud-based  approaches  to  security  in  the 
near  future. 

The  Perimeter  Is  Breached 

In  January  I  attended  the  inaugural  Secu¬ 
rity  Threats  Conference  in  Washington, 
D.C.  One  theme  that  was  covered  is  that  it 
is  foolish  to  believe  that  your  perimeter  is 
impenetrable.  The  rise  of  organized  crimi¬ 
nal  enterprises  and  the  emergence  of  state- 
sponsored  hackers  mean  that  extremely 
sophisticated  attacks  are  being  marshaled 
against  interesting  targets. 

Larry  Clinton,  CEO  of  the  Internet 
Security  Alliance,  provided  some  frighten¬ 
ing  statistics  about  current  security  threats 
and  their  effect  on  today’s  practices.  In  a 
word,  today’s  security  approaches  are  inad- 


In  many  IT  organiza¬ 
tions,  every  server 
updates  its  antivirus 
signature  files  at  the 

same  time  every 
day,  resulting  in  25 
or  50  virtual  machines 
launching  the  same 
activity  all  at  once. 

equate.  Malevolent  actors  will  get  onto  your 
network  if  they  turn  their  gaze  to  your  orga¬ 
nization.  They  can  set  up  long-lived,  long- 
running  bots  that  sift  through  your  servers 
to  identify  and  steal  important  data.  These 
actors  go  under  the  rubric  “advanced  per¬ 
sistent  threats,”  or  APT  for  short. 

What  to  do? 

One  approach,  of  course,  is  to  integrate 
a  new  layer  of  security  products  designed 
to  address  APT.  There  are  old  and  new  ven¬ 
dors  ready  to  sell  you  products  targeted  at 
APT.  I  won’t  dismiss  this  approach,  but  my 
take  on  this  type  of  threat  is  that  it  increases 
the  importance  of  security  practices  at  the 
individual  server  or  VM  level— in  other 
words,  security  at  the  instance  level.  You 
should  definitely  be  running  integrity 
monitoring  and  use  an  on-board  intrusion- 
prevention  system. 

Putting  these  products  on  each  virtual 
machine  clashes  with  the  “move  security 
off  the  VM”  approach,  of  course,  but  here’s 
a  better  way  to  think  about  it:  security  that 
can  only  be  executed  on  the  machine  should 
be  on  the  machine,  while  security  that  can 
be  shared  across  several  machines  should 
be  migrated  to  a  central  location.  There  is 
no  perfect  answer,  but  security  has  always 
been  a  balancing  act,  right? 

Conclusion 

The  economics  of  virtualization  mean  that 
this  model  of  computing  is  likely  to  become 
widespread.  Trying  to  ward  off  this  spread 
just  because  current  security  practices  are 
not  supported  is  like  trying  to  hold  back  the 
rising  tide,  which  is  futile.  ■ 


Bernard  Golden  is  CEO  of  HyperStratus,  which 
specializes  in  virtualization  and  cloud-comput¬ 
ing  issues. 
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With  a  Little 
Help  From  His 

800 Million 
Friends 


The  CSO  of  Facebook  talks  about  spam,  fake 
accounts,  cooperating  with  Google  and  Twitter, 
and  much  more  By  Lauren  Gibbons  Paul 


he  eyes  of  the  online  world 

I  are  on  Joe  Sullivan. 

As  the  CSO  of  Face- 
I  book,  Sullivan  is  without 
I  a  doubt  one  of  the  most 
I  visible  security  chiefs  in  the 
I  business.  He  must  mitigate 
I  myriad  security  and  privacy 
risks  not  only  for  Facebook’s 
employees  and  corporate  systems,  but 
also  for  the  social  network’s  800  million 
members. 

Sullivan,  44,  joined  Facebook  in  2008. 
He  moved  to  the  private  sector  10  years  ago 
to  focus  on  security,  and  before  that  he  was 
a  federal  prosecutor  for  eight  years.  His 
legal  background  has  come  in  handy  of 
late,  as  Facebook  has  sued  several  people 
for  misusing  the  service. 

CSO  contributor  Lauren  Gibbons  Paul 
talked  to  Sullivan  about  the  challenges  of 
managing  security  on  a  rapidly  evolving 
social  network. 


CSO:  With  all  the  publicity  about 
privacy  and  security  regarding 
Facebook,  what  do  you  regard  as 
the  biggest  threats? 

Joe  Sullivan:  I  think  the  challenge 
with  being  at  Facebook  is  that  it’s  always 
about  trust.  People  need  to  feel  secure 
when  they  use  Facebook.  When  it  first 
came  along,  people  were  not  comfortable 
putting  their  photo  and  real  name  on  the 
Internet.  But  that’s  the  way  Facebook 
works— it’s  your  real  name  and  real  iden¬ 
tity  interacting  with  real  people  in  your 
life.  If  [members]  experience  something 
that  erodes  their  trust  in  that  experience, 
they’re  not  going  to  come  back. 

[So]  we  have  to  invest  really  heavily  in 
security.  That’s  not  just  someone  getting 
access  to  your  account  directly,  but  your 
experience  of  someone  else’s  account 
getting  compromised.  If  your  friend  gets 
compromised,  you  feel  it.  It  undermines 
your  trust  in  your  experience. 


The  network  effort  can  be  used  for  bad 
as  well  as  good.  That’s  why  we’ve  invested 
heavily  in  security  for  a  long  time.  No 
individual  can  be  on  top  of  all  the  different 
risks  every  day— it  has  to  be  orchestrated 
across  a  bunch  of  different  groups. 

I’m  always  concerned  about  the  risk 
of  a  compromised  account.  There  are 
high-profile  individuals,  companies  and 
governments  that  use  Facebook  as  a  way  to 
communicate.  That  means  we  need  to  make 
sure  they’re  comfortable  coming  on  to  Face- 
book  and  feel  secure  in  using  it.  We’ve  seen 
situations  where  high-profile  accounts  get 
compromised.  That  is  guaranteed  to  draw 
attention  and  undermine  trust. 

What  is  your  strategy  for 
dealing  with  misappropriated 
credentials? 

We  created  some  great  technology 
modeling  the  behavior  of  a  real  account.  It’s 
machine  learning.  We  have  a  large  group  of 
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“A  fake  account 
thrashes  around 
in  the  Facebook 
environment  so 
differently  from 
the  way  a  real 
person  behaves/’ 

-JOE  SULLIVAN,  CSO,  FACEBOOK 


engineers  working  on  this  all  the  time. 

Six  hundred  thousand  times  a  day, 
someone  tries  to  log  into  account  using 
[stolen  login  information].  We  catch  them 
and  block  them. 

I  had  a  meeting  with  someone  from 
a  vendor  earlier  today,  and  he  told  me  he 
tried  to  log  into  his  Facebook  account  on 
the  hotel  computer  [and  was  presented 
with  a  security  challenge  question].  He 
was  coming  from  a  public  computer,  and 
he  had  the  right  password.  [But]  public 
computer  plus  different  state,  that  trig¬ 
gered  social  verification  process.  Some 
services  would  just  look  at  that  type  of 
activity  as  a  risky  log-in.  We  do  something 
different,  which  is  social  verification.  We 
presented  him  with  profile  photos  of  his 
friends  [and  had  him  pick  their  names]. 

We’ve  gotten  better  at  this.  Using 
machine  learning,  we  can  figure  out  who 
are  the  friends  you  interact  with  the  most 
on  Facebook. 

How  is  this  learning 
accomplished? 

If  I  [refuse  a  friend  request],  I  have  now 
sent  two  different  messages  to  Facebook 
about  that  account.  Even  in  a  single  friend 
request,  we  can  see  a  lot  of  different  ways 
to  learn  from  that  experience.  We  call  it  the 
Facebook  immune  system.  It’s  basically 
scoring  every  interaction  against  the  site. 

Looking  [back  at  the  earlier  example], 
what  if  he  was  coming  from  [his  home] 
state  but  was  sending  too  messages  per 
hour,  as  opposed  to  last  month  when  he 
sent  too  messages  in  all?  We  can  detect 
that  change  in  behavior.  Credit  card  com¬ 
panies  do  [something  similar.]  One  time  I 
flew  to  San  Francisco  for  work,  and  I  had 
some  spare  time  so  I  bought  my  wife  an 
engagement  ring.  (I  didn’t  buy  her  a  ring 
when  we  got  engaged.)  So,  in  San  Fran¬ 
cisco  I  used  a  credit  card  to  buy  a  ring  for 
her.  They  called  her  and  got  her  to  validate 
that  it  was  an  acceptable  purchase.  With 
the  credit  card  industry,  they’re  custom¬ 
izing  their  flags  to  their  environment  and 
the  patterns  of  abuse  they  see.  We  have  a 
unique  environment,  so  we  have  to  build 
a  unique  profile  of  [users’]  pattern  of  use 
and  protect  against  misuse. 

When  you  show  up  on  day  one  as  a 
new  user,  you  start  acting  a  particular  way. 
If  you  show  up  as  a  fake  user,  you  start 


acting  a  different  way.  So,  the  best  security 
feature  on  Facebook  is  something  we  don’t 
have  to  do;  it’s  the  reporting  mechanism 
we  provide  for  the  people  who  use  Face- 
book.  It’s  not  just  that  you  are  a  fake  user 
and  you  send  an  inordinate  number  of 
friend  requests  to  a  category  of  users.  You 
actually  also  set  off  alarms  to  other  people. 

A  fake  account  thrashes  around  in  the 
Facebook  environment  so  differently  from 
the  way  a  real  person  behaves.  It’s  like 
the  largest  and  most  effective  Community 
Watch  program  in  the  world. 

What  have  been  some  other  trust 
issues  you’ve  dealt  with? 

A  couple  of  years  ago,  the  biggest  bane 
of  Facebook  was  half  the  people  loved  to 
use  games,  and  the  other  half  hated  hearing 
about  the  games.  So,  we  had  to  respond  to 
that,  but  we  also  had  to  address  the  under¬ 
lying  issue,  which  was  that  [people]  didn’t 
want  to  spam  their  friends.  For  the  game 
developers,  the  more  you  spammed  your 
friends,  the  more  successful  they  were. 

Now,  if  you  want  to  play  games  on 
Facebook,  you  can  have  that  experience 
without  sharing  what  you’re  doing.  If  you 
don’t  want  anything  to  do  with  Words 
With  Friends,  for  example,  you  have  the 
ability  to  hide  anything  having  to  do  with 
Words  With  Friends.  If  my  news  feed 
shows  one  of  my  friends  is  listening  to  a 
song  on  Spotify,  I  can  hide  it,  report  the 
story  as  spam,  or  I  can  dial  up  or  down 
how  much  I  hear  from  this  friend.  Or  there 
is  another  option,  “Hide  all  by  Spotify.” 
You  can  make  it  go  away. 


How  do  you  deal  with  fake 
accounts  created  using  black-hat 
SEO  tools  such  as  XRumer? 

We  spend  a  lot  of  time  and  energy  on 
both  sides  of  fighting  it.  We  have  a  bunch 
of  different  relationships  to  get  known  bad 
URLs  so  we  can  block  those  immediately. 
There’s  a  Google  list,  and  we’re  always  get¬ 
ting  new  lists  and  not  letting  people  send 
those  links  through  our  service. 

It’s  detection  and  mitigation.  When  the 
spammers  try  to  target  our  network,  we 
go  after  them  aggressively.  We  send  cease- 
and-desist  letters.  We  file  civil  suits. 

Just  today,  our  general  counsel 
appeared  in  front  of  the  Washington  attor¬ 
ney  general  to  go  after  clickjackers.  We  try 
to  get  criminal  enforcement  of  these  civil 
actions.  If  you  can  demonstrate  they  are 
using  malware  and  taking  over  accounts, 
you  can  get  law  enforcement  involved. 

We  have  had  some  success  against 
the  Koobface  Russian  gang.  The  New  York 
Times  ran  a  story  that  we  looped  them  in 
on  where  we  said  the  number-one  type 
of  malware  attacking  Facebook  had  been 
due  to  the  Koobface  gang  out  of  Russia.  We 
were  able  to  disrupt  their  network. 

No  Facebook  user  has  been  compro¬ 
mised  since  last  year.  We  worked  with 
some  experts  to  reveal  the  names  and 
identities  of  group  members. 

Another  one  was  Sanford  Wallace, 
aka  Spamford  Wallace.  He’s  based  in  Las 
Vegas.  We  filed  a  civil  suit  against  him 
under  the  CAN-SPAM  Act.  We  won  the 
two  largest  judgments  since  this  act  was 
created.  The  federal  judge  ordered  the  U.S. 
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Attorney’s  office  to  open  an  investigation. 
That’s  very  unusual. 

We  have  a  “scout”  wall  in  our  office. 

We  put  up  [articles  about]  our  successes 
in  going  after  individuals  who  have  tried 
to  attack  our  users.  We  got  an  $873  mil¬ 
lion  judgment  against  Adam  Guerbuez. 
[Editor’s  note:  Guerbuez  was  convicted  of 
sending  out  4  million  commercial  spam 
messages  through  Facebook.]  We  localized 
the  judgment  in  Canada,  and  we  keep 
moving  forward. 

There  are  many  different  ways  to 
skin  a  cat.  In  one  case,  instead  of  doing 
a  cease-and-desist,  we  reached  out  to 
the  individual’s  mother,  because  it  was 
a  teenager  living  at  home.  She  made  him 
send  us  a  letter  and  a  check.  We  always 
ask,  What’s  the  fastest  way  to  make  them 
stop?  For  that  individual,  it  was  through 
the  mother.  Every  time  we  have  filed  a  civil 
suit,  the  abuse  has  stopped  immediately.  It 
has  a  chilling  effect,  even  if  we  don’t  ever 
collect  a  penny. 


We  pay  attention  to  the  black-hat 
forums.  They’re  talking  about  what  works 
against  this  service  and  what  doesn’t  work 
against  that  other  service.  No  one  wants 
an  $800  million  judgment  hanging  over 
their  head. 

Do  you  check  in  with  your 
counterparts  at  Google  and 
Twitter  to  see  how  they  deal  with 
this  kind  of  problem? 

We  collaborate  with  them  all  the  time, 
formally  and  informally.  We  don’t  compete 
on  security.  A  rising  tide  lifts  all  ships,  and 
that’s  the  way  we  all  view  it. 

We  defeated  Koobface  last  year,  at  least 
temporarily.  We  have  had  no  compro¬ 
mises  on  our  site  since  last  March.  A  lot 
of  smaller  sites  were  having  problems,  so 
we  announced  we  were  going  to  share  this 
information. 

We  put  together  an  information  packet 
and  shared  this  information.  That’s  not  a 
strategy  that  you  use  in  every  case.  We  get 


information  from  other  companies,  like 
the  bad  URL  list.  We  all  share  those.  Or  if 
there’s  a  situation  in  which  it  looks  like  a 
large  number  of  email  addresses  and  pass¬ 
words  from  one  email  provider  has  been 
compromised,  we’ll  give  them  the  email 
addresses  from  our  list  so  they  can  require 
those  users  to  reset  their  passwords.  And 
they’ll  do  that  for  us.  It’s  a  very  collabora¬ 
tive  environment. 

There  are  a  lot  of  security  conferences 
around  the  world  where  companies  and 
researchers  get  together  and  talk  about 
trends,  approaches  and  risks.  We  really 
value  those  relationships  and  we  spend 
time  working  on  them. 

We  have  a  Bay  Area  CSO  Council. 

We  have  several  working  groups  [with 
members  such  as]  Google,  Yahoo,  eBay, 
PayPal  and  Salesforce.com.  Our  security 
teams  are  all  talking.  We  have  the  CSOs 
all  get  together  and  have  different  topics 
for  a  monthly  call.  We  have  different 
sub-groups,  an  advanced  persistent 
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threat  group,  a  compliance  policy  group. 
We  share  best  practices.  Along  with  [the 
National  Cyber  Security  Alliance],  we 
work  with  companies  across  the  country 
on  computer- safety  education. 

Facebook  recently  changed  its 
interface,  rolling  out  what  it 
calls  Timeline.  Some  users  are 
objecting  to  this  as  a  violation  of 
privacy.  How  do  you  react  to  that? 

We  always  try  to  learn  and  take 
feedback  well;  at  the  same  time,  we  always 
respect  people’s  intentions  around  the 
audience  they  want  to  share  with.  The 
Internet  used  to  be  divided  into  people 
who  blogged  to  the  whole  world  or  who 
communicated  in  email  to  just  one 
individual. 

One  thing  I  love  about  Facebook  is, 
when  I  share  something  with  my  friends, 

I  see  the  interaction  with  my  friends,  and 
they  don’t  necessarily  know  each  other. 

We  know  there  is  a  social  validation 


because  they’re  both  friends  with  me. 
That’s  what  Facebook  is  all  about,  that 
positive  interaction  with  community. 

Before  the  news  feed,  when  you  went 
onto  the  social  network,  you  saw  your 
own  page.  You  looked  at  yourself.  When  it 
evolved,  all  of  a  sudden  you  had  the  ability 
to  look  at  your  friends’  profiles.  Suddenly, 
you  saw  the  updates  that  your  friends 
had  done  to  their  pages,  and  that  freaked 
people  out. 

It  wasn’t  a  privacy  violation  because 
you  weren’t  being  exposed  to  any  more 
information  than  you  were  the  day  before. 
It  was  all  there,  but  it  felt  very  different. 
The  ticker  on  the  right-hand  side  of  the 
Facebook  page  is  the  same  thing;  there’s 
nothing  there  that  wasn’t  available  to  you 
already,  it’s  just  presented  in  a  different 
way. 

Our  goal  is  to  get  your  friends’  actions 
to  you  in  a  way  that  feels  good  to  you.  One 
of  the  amazing  things  about  Facebook  is, 
every  single  user  sees  a  completely  differ¬ 


ent  page.  We  need  to  be  able  to  provide  a 
completely  different  experience  for  each 
person.  We  can’t  just  dictate  it,  so  that’s 
where  the  individual  controls  come  in. 

What  is  it  like  being  CSO  of  a  one 
of  the  most  visible  companies 
in  the  world— and  one  at  which 
security  is  continually  under 
siege?  Does  it  get  overwhelming? 

I  started  here  in  2008. 1  moved  into  this 
role  at  the  end  of  2009. 1  have  the  best  job 
in  the  world.  I  really  believe  it.  Every  day 
brings  new  and  interesting  things.  If  you 
do  contracts  as  a  lawyer,  you  do  contracts 
no  matter  where  you  work.  But  if  you  do 
security  at  Facebook,  it’s  very  different 
from  doing  security  anywhere  else.  We’re 
dealing  with  new  threats.  We’re  working 
at  a  company  that  appreciates  the  value 
that  security  brings  to  the  company  and 
the  employees.  We’re  allowed  to  have  an 
impact.  And  when  we  do  something,  we 
can  see  the  impact.  ■ 
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MOBILE  COMPUTING 


Bring  Your  Own 


THE  GOOD  NEWS  for  enterprises:  Mobile 
devices  are  packed  with  power.  A  new 
iPhone  is  too  times  lighter,  too  times  faster, 
and  to  times  less  expensive  than  the  lug¬ 
gable  notebooks  of  the  early  1980s. 

What’s  good  news  for  enterprises  is 
also  bad  news  for  CISOs.  Mobile  devices 
can  store  substantial  quantities  of  data, 
the  applications  are  powerful,  and  their 
network  speeds  are  forever  increasing. 
And,  oh  yeah,  users  are  bringing  their  own 
devices,  downloading  their  own  apps,  surf¬ 
ing  the  Web  from  whatever  connections 
they  choose— all  with  little  to  no  direct  con¬ 
trol  by  the  enterprise. 

To  help  make  mobile  devices  more  man¬ 
ageable,  enterprises  are  increasingly  turn¬ 
ing  to  mobile  device  management  (MDM) 
applications  and  services.  And  MDM  can 
help  with  security  issues— but  how  much? 
Experts  say  this  tool  can  absolutely  reduce 
mobile  risk.  But  they  also  say  relying  on  an 
MDM-only  mobile  security  program  is  like 
sitting  on  a  one-legged  stool. 

Mobile  Mania 

According  to  Forrester  Research,  there  are 
more  than  40  vendors  in  the  MDM  market, 
offering  software  with  core  features  such  as 
configuration  management,  troubleshoot- 


Mobile  device 
management 
helps  bring  a  level 
of  security  to 
employee  devices, 
but  it’s  only  part 
of  the  process 
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ing  and  support,  inventory,  remote  control 
and  reporting  capabilities.  The  market  is 
growing:  Research  firm  IDC  pegged  the 
MDM  market  at  about  $265  million  in  2009, 
growing  at  more  than  9  percent  annually. 
The  firm  expects  that  growth  rate  to  rise  to 
more  than  10  percent  next  year. 

These  applications  reduce  risk  by  being 
able  to  detect  and  remotely  wipe  data,  and 
by  enforcing  password  and  encryption  pol¬ 
icies.  “It  makes  sense  to  move  to  MDM  and 
enforce  security  policies  in  a  more  auto¬ 


mated  way,”  says  Pete  Lindstrom,  research 
director  at  Spire  Security.  “With  mobile 
device  sprawl,  and  the  value  of  the  appli¬ 
cations  and  data  on  the  devices  increasing, 
more  enterprises  are  going  to  want  to  man¬ 
age  the  configuration  of  the  devices,  what 
the  devices  are  and  where  they’re  being 
used— many  of  the  things  one  would  expect 
in  traditional  asset-management  capabili¬ 
ties,”  he  says. 

However,  just  as  traditional  asset-man¬ 
agement  applications  helped  create  some 
level  of  security  and  control  over  notebooks 
and  telecommuters’  systems,  they  certainly 
fell  short  of  managing  everything  neces¬ 
sary  to  keep  those  systems  and  data  secure. 
MDM  will  be  no  different. 

Dig  Deeper  Than 
Just  the  Device 

“You  can’t  just  focus  on  the  device  and 
expect  to  have  a  high  level  of  security,”  says 
Rafal  Los,  chief  security  evangelist  at  HP 
Software  Worldwide.  “You  have  to  look  at 
the  system  holistically.  That  includes  the 
infrastructure,  the  applications,  how  data 
is  accessed  and  used,”  argues  Los.  “That 
includes  looking  at  not  only  the  inherent 
security  of  the  applications  on  the  device, 
but  also  the  application  servers  and  data- 
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bases  they  connect,”  Los  says. 

Application  security  has  been  a  plague 
since  before  the  Web,  whether  the  applica¬ 
tion  resides  on  a  server,  desktop,  notebook, 
website  or  mobile  device.  And  it’s  a  crucial 
area  where  MDM  tools  don’t  play  much 
of  a  role  beyond  pushing  patches  out  to 
at-risk  devices.  Consider  the  privacy  flaw 
in  Skype  for  Android  that  was  discovered 
last  spring:  Skype’s  instant  messages  were 
not  stored  securely,  so  a  malicious  app  or 
anyone  with  access  to  the  device  could 
view  the  messages’  contents.  That  incident 
wasn’t  isolated,  and  many  other  mobile  app 
vulnerabilities— including  a  weakness  in  a 
Citibank  mobile  application— have  been 
identified  since. 

BYOD  Changes  Everything 

“Mobile  security  is  more  about  the  data  and 
the  application  than  it  is  about  the  device 
itself.  This  is  especially  true  now  with  the 
bring-your-own-device  [BYOD]  trend,” 
says  Lindstrom. 

Brian  Katz,  director  of  mobility  at  global 
healthcare  company  Sanofi,  agrees.  “When 
you  look  at  today’s  mobile  device  manage¬ 
ment  applications,  they  were  built  in  the 
shadow  of,  ‘This  is  how  we  do  IT  today.’ 
They  look  at  device  management  the  same 


way  that  enterprises  have  controlled  lap¬ 
tops  and  desktops  for  years,”  says  Katz. 
“That  means  MDM  works  best  when  you 
own  the  device.  When  you  provision 
it.  When  you  can  wipe  the  entire  device. 
When  you  can  decide  what  you  want  to 
do  with  it.  But  with  BYOD,  none  of  that 
applies,”  he  says.  “You  don’t  own  the  device, 
so  you  can’t  dictate  everything  that  is  done 
on  the  device.” 

Because  the  enterprise  doesn’t  own  the 
device,  it’s  more  dependent  on  policy— and 
on  trusting  that  employees  will  handle 
the  phone  or  tablet  with  care.  “But  that’s 
extremely  hard  with  small  devices,  even 
corporate-owned  devices,”  says  Lindstrom. 
“Enterprises  anticipate  (and  tolerate)  that 
there  will  be  more  personal  use  on  these 
devices,  as  they’re  expected  to  be  with  the 
employee  at  all  times.” 

Which  brings  up  another  issue  as  a 
result  of  BYOD:  privacy. 

“You  have  to  think  about  MDM  in  terms 
of  legality.  For  example,  a  lot  of  MDMs  pro¬ 
vide  the  ability  for  operations  teams  and 
IT  employees  to  track  the  coordinates  of 
the  phone.  In  some  countries  there  are  pri¬ 
vacy  laws  that  forbid  that.  The  corporation 
may  not  be  allowed  to  track  you.  You  have 
to  look  at  whether  that  needs  to  be  turned 


on  or  turned  off  by  default,  and  how  you’re 
handling  that  to  make  sure  that  you  don’t 
break  privacy  laws  there,”  Katz  says. 

To  handle  those  privacy  concerns, 
and  so  they  can  focus  more  closely  on 
corporate-owned  applications  and  data, 
more  enterprises  are  turning  to  mobile 
app  management  (MAM),  which  enables 
organizations  to  manage  specific  applica¬ 
tions  and  data  without  having  to  worry 
about  the  entire  device  or  an  employee’s 
personal  data.  “This  approach  makes  it 
much  easier  to  manage  BYOD  in  an  organi¬ 
zation  because  you  have  the  same  features 
in  MAM  that  you  have  in  MDM,  but  you’re 
approaching  it  on  an  app-by-app  basis,” 
says  Katz. 

That  ability  makes  it  more  straightfor¬ 
ward  to  wipe  only  enterprise-owned  and 
-managed  data  and  set  password  require¬ 
ments  that  affect  only  the  enterprise  apps. 
That’s  why  he  thinks  the  industry  will 
move  away  from  MDM  and  toward  MAM, 
“which  will  help  move  the  security  focus 
from  the  device  to  the  data  and  the  applica¬ 
tions— where  it  belongs,”  says  Katz.  ■ 


Freelance  writer  George  V.  Hulme  is  a  frequent 
contributor  to  CSO.  Send  feedback  to  editor 
Derek  Slater  at  dslater@cxo.com. 
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[  INDUSTRY  VIEW] 

By  John  Kirkwood,  Security  Innovation 


Who  Should  the  CISO  Report  To? 

The  answer  depends  on  what  kind  of  CISO  your  company  needs 


It  seems  like  a  simple  question.  After 
all,  there  seems  to  be  little  debate 
about  where  other  C- suite  officers 
should  report.  While  there  have 
been  some  discussions  about  the 
reporting  structure  for  such  C-level  execu¬ 
tives  as  the  chief  privacy  officer  and  the 
chief  compliance  officer,  these  are  relatively 
tame  compared  to  the  heated  debate  that  I 
have  witnessed  and  been  a  part  of  over  the 
past  few  years. 

The  fact  that  this  question  is  asked  at  all 
is  an  indication  of  the  growing  acceptance 
of  the  CISO  role  and  function.  In  2006,  only 
22  percent  of  the  more  than  7,000  organiza¬ 
tions  responding  to  PricewaterhouseCoo- 
pers’  annual  information  security  survey 
reported  having  a  CISO  or  equivalent.  By 
2011,  more  than  80  percent  of  respondents 
reported  having  a  CISO. 

But  there  remains  strong  disagreement 
about  to  whom  the  CISO  should  report. 
The  prevailing  recommendation  is  that 
the  CISO  absolutely  should  not  report  to 
the  CIO.  According  to  many  people  who 
write  on  this  topic,  having  the  CISO  report 
to  the  IT  organization  is  an  inappropriate 
segregation  of  duties.  However,  the  fact  is 
that  between  40  percent  and  60  percent  of 
CISOs  do  report  to  the  CIO  or  IT  execu¬ 
tive,  depending  on  industry.  And  in  some 
industries  there  is  a  clear  trend  toward  this 
reporting  structure. 

Even  if  we  all  agreed  that  the  CISO 


For  some 

organizations  one 

CISO  is  not 
enough. 


should  not  report  to  the  CIO,  that  does 
not  answer  the  question.  If  you  ask  seven 
world-class  organizations  where  the  CISO 
should  report,  you  might  well  get  seven 
world-class  answers,  each  of  them  vehe¬ 
mently  defended  by  the  company  that  pro¬ 
posed  it. 

Let’s  take  a  step  back  and  take  a  look  at 
the  question  from  a  different  perspective. 

When  you  are  introduced  to  a  doctor, 
you  would  probably  ask,  “What  type  of 
doctor  are  you?”  The  response  will  indicate 
the  doctor’s  specialty,  skills,  training  and 
experience.  And  if  you  were  looking  for  an 
attorney  or  accountant,  your  first  question 
to  them  would  be  what  type  of  attorney  or 
accountant  they  were. 

When  introduced  to  a  CISO,  you  can’t 
ask  that  question.  We  do  not  think  of  there 
being  types  of  CISOs.  The  question  we  tend 
to  ask  instead  is,  “Where  do  you  report?” 


Who  a  CISO  reports  to  is  a  gen¬ 
eral  indicator  of  the  types  of 
duties  he  or  she  performs.  For 
example,  it’s  likely  that  a  CISO 
who  reports  to  legal  and  compli¬ 
ance  won’t  have  security  opera¬ 
tions  responsibilities,  but  one 
who  reports  to  the  manager  of 
network  operations  and  infra¬ 
structure  probably  will. 

The  variety  of  CISO  job 
descriptions  are  further  evi¬ 
dence  of  the  diverse  skill  sets 
that  organizations  currently 
require  from  people  in  that  role. 
A  few  factors  that  influence 
where  the  CISO  reports  include 
enterprise  strategy,  organiza¬ 
tional  culture,  the  company’s 
history  with  the  CISO  function, 
the  business’s  security  incident 
experiences,  and  compliance  requirements. 

I  suggest  that  different  organizations 
require  different  types  of  CISOs  based  on 
these  considerations.  Of  course,  circum¬ 
stances  change  over  time  and  may  require 
a  change  in  the  CISO’s  reporting  structure. 

Three  Types  of  CISO 

There  are  three  major  types  of  CISOs.  Most 
versions  of  the  role  will  be  a  mix  of  more 
than  one  type,  but  these  descriptions  pro¬ 
vide  some  insights  into  where  the  CISO 
should  report. 

1.  The  Technical  Information 
Security  Officer  (TISO) 

The  TISO  specializes  in  technical  security 
issues,  operations  and  monitoring,  which 
includes  managing  firewalls,  handling 
intrusion-detection  and  intrusion-pre¬ 
vention  systems,  and  so  on.  The  TISO  also 


30  www.csoonline.com  March  2012 


Photo  by  Peter  Murphy 


coordinates  and  manages  technical  policies 
and  control  and  assessment  activities.  This 
person  should  report  to  the  CIO,  CTO  or  IT 
management. 

2.  The  Business  Information 
Security  Officer  (BISO) 

The  BISO  specializes  in  information  secu¬ 
rity  issues  related  to  the  business,  such  as 
how  to  securely  implement  customer-fac¬ 
ing  technologies  and  how  to  appropriately 
protect  customer  information.  A  major 
purpose  of  the  BISO  is  to  ensure  that  the 
business  unit  or  division  understands  that 
information  security  is  a  business  require¬ 
ment  like  any  other.  This  person  also 
assists  in  the  implementation  and  transla¬ 
tion  of  enterprise  security  requirements, 
policies  and  procedures.  Additionally,  the 
BISO  should  perform  business  security 
assessments  or,  at  a  minimum,  coordinate 
between  identified  business-related  secu¬ 
rity  issues.  Ideally,  there  should  be  a  BISO 
embedded  in  every  major  business  unit  or 


division,  and  he  or  she  should  report  to 
business  management. 

3.  The  Strategic  Information 
Security  Officer  (SISO) 

The  SISO  specializes  in  translating  high- 
level  business  requirements  into  enterprise 
security  initiatives  and  programs  that  must 
be  implemented  to  achieve  the  organiza¬ 
tion’s  mission,  goals  and  objectives.  The 
SISO  must  coordinate  with  the  operations 
officer  and  the  BISO  to  ensure  appropriate 
progress.  The  SISO  should  also  be  respon¬ 
sible  for  metrics,  dashboards  and  executive 
reports,  and  for  presenting  assessments  of 
the  state  of  security  in  the  enterprise  to  the 
board  of  directors.  The  SISO  should  report 
to  an  executive  management  function  such 
as  the  chief  risk  officer,  chief  operating  offi¬ 
cer  or  chief  legal  counsel,  or  to  an  executive 
management  committee. 

When  considering  who  the  SISO  will  report 
to,  think  about  whether  superior  execu¬ 
tives  will  be  able  to  appropriately  support 


the  SISO.  For  example,  would  the  CEO  be 
able  to  spend  as  much  time  with  the  SISO 
as  is  needed?  The  SISO  should  be  also  able 
to  represent  the  corporation  externally,  that 
is,  with  third  parties  or  in  cyber  insurance 
discussions. 

You  may  infer  that  you  need  more  than 
one  type  of  CISO  for  your  organization— 
and  you  may  be  right.  In  fact,  for  some  orga¬ 
nizations,  one  CISO  is  not  enough.  Seven 
percent  of  organizations  responding  to 
the  PricewaterhouseCoopers’s  2011  global 
information  security  survey  reported  hav¬ 
ing  more  than  one  CISO. 

So,  to  whom  should  the  CISO  report? 
The  short  answer  is:  to  the  most  effective 
manager,  depending  on  the  type  of  CISO.  ■ 


John  Kirkwood  is  chief  information  security 
and  strategy  officer  for  Security  Innovation. 
He  is  also  the  chief  strategist  for  Smbiosys. 
Previously,  John  has  been  a  global  chief  infor¬ 
mation  security  officer  for  Royal  Ahold  and 
American  Express. 
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Laws  and  Orders 


1.  The  Senate  bill  called  the  Public 
Company  Accounting  Reform  and 
Investor  Protection  Act  became  law 
under  the  name  ••• 

a.  Sarbanes-Oxley  Act 

b.  Foreign  Corrupt  Practices  Act 

c.  Bank  Secrecy  Act 

d.  Sherman  Antitrust  Act 

2.  The  first  U.S.  federal  computer  crime 
law  was  passed  in  ••• 

a.  1994 

b.  1984 
C.  1976 
d. 1971 

3.  The  global  banking  standards 
governing  risk  management  and 
“capital  adequacy'’  are  the... 

a.  Basel  Accords 

b.  The  CLABE  (Clave  Bancaria 
Estandarizada) 

c.  Macroprudential  Policy 

d.  Emergency  Banking  Act 


4.  The  president  who  signed  the  Foreign 
Corrupt  Practices  Act  into  law  was... 

a.  Jimmy  Carter 

b.  Richard  Nixon 

c.  Warren  Harding 

d.  Millard  Fillmore 

5.  The  president  who  signed  the  RICO 
anti-corruption  act  into  law  was... 

a.  Jimmy  Carter 

b.  Richard  Nixon 

c.  Martin  Van  Buren 

d.  Abraham  Lincoln 

6.  The  section  of  the  U.S.  Code  that  deals 
with  criminal  law  and  the  penal  code  is... 

a.  Title  9 

b.  Title  18 

c.  Chapter  7 

d.  Chapter  13 

7.  The  European  Union's  privacy  rules 
are  called  ••• 

a.  Data  protection  directive 

b. PIPEDA 


c.  SO  PA 

d. HIPAA 

8.  Which  president,  seeking  new 
national  security  laws,  said:  “There  are 
citizens  of  the  United  States  who  have 
poured  the  poison  of  disloyalty  into  the 
very  arteries  of  our  national  life-who 
have  sought  to  bring  the  authority  and 
good  name  of  our  government  into 
contempt,  to  destroy  our  industries  and 
to  debase  our  politics  ••• 

a.  John  Adams,  1798 

b.  Woodrow  Wilson,  1915 

c.  Harry  Truman,  1945 

d.  George  Bush,  2001 
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How’d  You  Do? 


0-4  points  Woefully  ignorant 
5-6  points  Willfully  mediocre 
7-8  points  Buried  in  paperwork 
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Do  you  know  your  physical  security 

access  infrastructure  may  be  open 
to  insider  and  outsider  threats? 


Take  Control  of  your  Physical  Security 
Infrastructure  with  SAFE  Solutions 

Our  SAFE  Software  Suite  is  a  Physical  Identity  and  Access 
Management  System  that  enables  a  global  approach  to  automate 
and  streamline  your  Physical  Security  Infrastructure.  With  SAFE 
Solutions  from  Quantum  Secure,  automate  and  streamline 
physical  access  management,  gain  visibility  and  take  control  of 
on/off  boarding  processes  across  global  facilities,  and  closely 
manage  restricted  areas  to  ensure  compliance  and  reduce 
corporate  risks. 


SAFE  is  ideal  for: 

>  Government 

>  Airports  and  Ports 

>  Telecom 

>  Energy  and  Utilities 

>  Healthcare,  Pharmaceuticals 

>  High  Technology 

>  Financial 

>  Higher  Education 


SAFE  delivers  attestation  reports  for  compliance  to  regulations 
such  as  SOX,  NERC,  PCI,  HIPAA  and  more.  SAFE  also  performs 
insider  risk  assessment  with  facility  access  analytics,  and  will 
operate  with  disparate  physical  access  (PACS)  and  HR  systems. 
The  SAFE  Software  Suite  is  designed  to  create  unprecedented 
efficiencies  and  lower  all  physical  access  related  risks. 

©  2012  Quantum  Secure,  Incorporated.  All  rights  reserved. 


>  Transportation 


IN  THE  TIME  IT  TOOK  YOU  TO  LOCATE  WHAT  YOU  BELIEVE  TO  BE  THE  THREAT,  AISIGHT 
HAS  ALREADY  LEARNED  WHAT  BEHAVIOR  IS  NORMAL,  ALERTED  ON  THE  ABNORMAL 
BEHAVIOR  AND  SECURITY  PERSONNEL  HAVE  BEEN  DISPATCHED  TO  THE  SCENE. 
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To  see  AlSight  in  action  and  learn  how  we  can  keep  you  protected... visit  us  at: 


ISC  West  2012 


Sands  Expo  and  Convention  Center  in 
Las  Vegas.  March  28  -  31,  2012 

Booth:  22071 
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